Merge "Allow getopt to eliminate warnings in MicrodroidBenchmarks tests"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0d6d42c..1a1ed62 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,7 +123,7 @@
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/te_macros b/public/te_macros
index 78e7636..551f4f3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -199,7 +199,7 @@
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationservice